CloudTrail userIdentity Element

AWS Identity and Access Management (IAM) provides different types of identities. The
userIdentity
element contains details about the type of IAM identity that made the request, and
which
credentials were used. If temporary credentials were used, the element shows how
the
credentials were obtained.

The following example shows a userIdentity element for a request made with
temporary security credentials obtained by assuming an IAM role. The element contains
additional details about the role that was assumed to get credentials.

Fields

The following fields can appear in a userIdentity element.

type

The type of the identity. The following values are possible:

Root – The request was made with your AWS
account credentials. If the userIdentity type is
Root and you set an alias for your account, the
userName field contains your account alias. For
more information, see Your AWS Account ID and Its Alias.

FederatedUser – The request was made with
temporary security credentials that were obtained via a call to the
AWS STS GetFederationToken API. The
sessionIssuer element indicates if the API was
called with root or IAM user credentials.

Because you own the IAM role, you receive a log that shows the
AWS service assumed the role. The type is
AWSService.

userName

The friendly name of the identity that made the call. The value that
appears in userName is based on the value
in type. The following table shows the
relationship between type and userName:

type

userName

Description

Root (no alias set)

Not present

If you have not set up an alias for your AWS account, the userName
field does not appear. For more information about account
aliases, see Your AWS Account ID and Its Alias. Note that
the userName field will never contain
Root because Root is an
identity type, not a user name.

For AssumedRole type, you can find the userName field in sessionContext, as part of the sessionIssuer element. For an example entry,
see Examples.

FederatedUser

Not present

The sessionContext and sessionIssuer section contains
information about the identity that issued the session for
the federated user.

AWSService

Not present

AWSAccount

Not present

Note

The userName field contains the
string HIDDEN_DUE_TO_SECURITY_REASONS when the recorded
event is a console sign-in failure caused by incorrect user name input.
CloudTrail does not record the contents in this case because the text could
contain sensitive information, as in the following examples:

A user accidentally types a password in the user name
field.

A user clicks the link for one AWS account's sign-in page,
but then types the account number for a different one.

A user accidentally types the account name of a personal email
account, a bank sign-in identifier, or some other private ID.

principalId

A unique identifier for the entity that made the call. For requests made with temporary
security credentials, this value includes the session name that is passed to
the AssumeRole, AssumeRoleWithWebIdentity, or
GetFederationToken API call.

arn

The Amazon Resource Name (ARN) of the principal that made the call. The
last section of the arn contains the user or role that made the call.

accountId

The account that owns the entity that granted permissions for the request. If the
request
was made with temporary security credentials, this is the account that owns
the IAM user or role that was used to obtain credentials.

accessKeyId

The access key ID that was used to sign the request. If the request was made with
temporary security credentials, this is the access key ID of the temporary
credentials.

sessionContext

If the request was made with temporary security credentials, an element that provides
information about the session that was created for those credentials.
Sessions are created when any API is called that returns temporary
credentials. Sessions are also created when users work in the console and
when users make a request with APIs that include multi-factor
authentication. Attributes for this element are:

creationDate – The date and
time when the temporary security credentials were issued.
Represented in ISO 8601 basic notation.

mfaAuthenticated – The value is true if the root user
or IAM user whose credentials were used for the request also was
authenticated with an MFA device; otherwise,
false.

invokedBy

The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling
or AWS Elastic Beanstalk.

sessionIssuer

If the request was made with temporary security credentials, an element that provides
information about how the credentials were obtained. For example, if the
temporary security credentials were obtained by assuming a role, this
element provides information about the assumed role. If the credentials were
obtained with root or IAM user credentials to call AWS STS
GetFederationToken, the element provides information about
the root account or IAM user. Attributes for this element are:

type – The source of the
temporary security credentials, such as Root,
IAMUser, or Role.

userName – The friendly
name of the user or role that issued the session. The value that
appears depends on the sessionIssuer identity type. The following table shows the relationship
between sessionIssuer type and
userName:

sessionIssuer type

userName

Description

Root (no alias set)

Not present

If you have not set up an alias for your account, the userName field
does not appear. For more information about AWS
account aliases, see Your AWS
Account ID and Its Alias. Note that the
userName field will never contain
Root because Root is an
identity type, not a user name.

This also applies when a federated user is using
a session issued by IAMUser.

Role

The role name

A role assumed by an IAM user, AWS service, or web identity federated user in
a role session.

principalId – The internal
ID of the entity that was used to get credentials.

arn – The ARN of the source
(account, IAM user, or role) that was used to get temporary
security credentials.

accountId – The account
that owns the entity that was used to get credentials.

webIdFederationData

If the request was made with temporary security credentials obtained by web identity federation, an
element that lists information about the identity provider. Attributes for
this element are:

federatedProvider – The
principal name of the identity provider (for example,
www.amazon.com for Login with Amazon or
accounts.google.com for Google).

attributes – The application ID and user ID as reported by the
provider (for example, www.amazon.com:app_id and
www.amazon.com:user_id for Login with Amazon). For
more information, see Available Keys for Web Identity Federation in the
IAM User Guide.

Values for AWS STS APIs with SAML and Web Identity
Federation

AWS CloudTrail supports logging AWS Security Token Service (AWS STS) API calls made
with Security Assertion Markup
Language (SAML) and web identity federation. When a call is made to the AssumeRoleWithSAML and AssumeRoleWithWebIdentity APIs, CloudTrail records the call and
delivers the event to your Amazon S3 bucket.

The userIdentity element for these APIs contains the following values.

type

The identity type.

SAMLUser – The request was made with SAML assertion.

WebIdentityUser – The request was made by a web identity federation
provider.

principalId

A unique identifier for the entity that made the call.

For SAMLUser, this is a combination of the
saml:namequalifier and saml:sub keys.

For WebIdentityUser, this is a combination of the
issuer, application ID, and user ID.